Key attestation的几个关键点!
Key attestation就是密钥认证,之前介绍过:
下图是Google Android密钥认证的架构图。基本上TEE OS、Keystore、Keymaster等等都有相关涉及。
我们今天来总结一下密钥认证的几个关键点:
Attestation details
● 认证可以应用于RSA或EC密钥。
● 证书是以X.509证书的形式出示的。
● 认证密钥(ECDSA和RSA)将设置在工厂。
● 谷歌将提供CA根,并将认证密钥。
Key Provisioning
● 谷歌将为谷歌批准的设备认证认证密钥。
● 密钥将被部署到设备上,每10K设备用一个密钥。
● 谷歌将创建密钥并对它们进行验证。
这个过程是与Widevine密钥分配过程非常类似(将可能使用相同的交付方法)。
密钥撤回:密钥撤销将通过CRL和OSCP被取消
● 安全密钥注入只能在工厂完成,所以设备被吊销的密钥将永久不受信任。
● 密钥被注入到设备批次中,因此撤销至少影响整个批处理。
● 撤销将应用广泛的需要,根据泄漏的性质和范围。
其他的keystore安全措施:
● More elliptic curve functionality:ECIES ECDH
● Exportable symmetric keys
● Fingerprint-bound keys that are not revoked on fingerprint enrollment
● OS version binding to protect against OS rollback
Bootloader修改:
新的硬件密钥库功能需要一些BootLoader功能:
● Bootloader must provide OS version and patch level to TEE.
● Bootloader must provide Verified Boot public key and lock status to TEE.
CDD测试要求:
Hardware-backed keystore will be MANDATORY in a future release.
● All algorithms (RSA, AES, ECDSA, ECDH, ECIES, HMAC)
● All hash functions (MD5, SHA1, SHA-2 family)
● Hardware Gatekeeper (on devices with lockscreens)
● With brute force protection in hardware
● Hardware attestation support
FIDO and Android KeyStore Attestation
KeyStore attestation is similar to—but not an implementation of—FIDO U2F.
● U2F uses other data structures and protocols that are too specific for a
general-purpose crypto toolkit.
● KeyStore attestation does provide all of the security properties desired by
FIDO relying parties.
● Google will work with FIDO to reconcile the issues.
● Bottom line: FIDO relying parties will be able to use KeyStore. This is
expected to drive widespread use of KeyStore.